From fd7d78e7727f02abcb92aa92f6e7a1afa6baef14 Mon Sep 17 00:00:00 2001 From: FuturMix Date: Sun, 14 Jun 2026 12:14:24 +0800 Subject: [PATCH] fix: escape XML-unsafe characters in RSS feed output The RSS feed interpolates author names directly into XML without escaping. An author name containing < > & or other XML metacharacters produces malformed XML that breaks RSS readers. Also encode slug in URLs with encodeURIComponent for safety. Add an escapeXml helper and apply it to the author field; use encodeURIComponent for slug in link/guid URLs. Co-Authored-By: Claude Opus 4.6 --- apps/web/app/blog/rss.xml/route.ts | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/apps/web/app/blog/rss.xml/route.ts b/apps/web/app/blog/rss.xml/route.ts index 795e767..de87d15 100644 --- a/apps/web/app/blog/rss.xml/route.ts +++ b/apps/web/app/blog/rss.xml/route.ts @@ -4,6 +4,15 @@ import { getDb } from '@/lib/db'; const BASE = 'https://c0upons.com'; +function escapeXml(str: string): string { + return str + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, '''); +} + export async function GET() { let posts: Array<{ slug: string; title: string; excerpt: string | null; published_at: string; author: string | null }> = []; @@ -23,10 +32,10 @@ export async function GET() { const items = posts.map((p) => ` <![CDATA[${p.title}]]> - ${BASE}/blog/${p.slug} - ${BASE}/blog/${p.slug} + ${BASE}/blog/${encodeURIComponent(p.slug)} + ${BASE}/blog/${encodeURIComponent(p.slug)} ${p.excerpt ? `` : ''} - ${p.author ? `${p.author}` : ''} + ${p.author ? `${escapeXml(p.author)}` : ''} ${new Date(p.published_at).toUTCString()} `).join('');